1. ๋ฌธ์
https://dreamhack.io/wargame/challenges/24/
simple_sqli
๋ก๊ทธ์ธ ์๋น์ค์ ๋๋ค. SQL INJECTION ์ทจ์ฝ์ ์ ํตํด ํ๋๊ทธ๋ฅผ ํ๋ํ์ธ์. ํ๋๊ทธ๋ flag.txt, FLAG ๋ณ์์ ์์ต๋๋ค. Reference Server-side Basic
dreamhack.io
2. ํด๊ฒฐ ๊ณผ์
์กฐ๊ฑด๋ฌธ์ userid ๊ฐ 'admin' ์ด๊ณ , ํจ์ค์๋๋ฅผ ์ ๋ ฅํ๋ฉด FLAG ๋ฅผ ๋ฆฌํดํ๋ค๊ณ ๋์ด์๋ค.
์ด๋, userid๋ง ์ ๋๋ก admin์ผ๋ก ์ฃผ๊ณ ๊ทธ ๋ค์ ์ฟผ๋ฆฌ๋ฅผ ์ฃผ์์ฒ๋ฆฌํ๋ฉด admin์ ์ ๊ทผํ ์ ์๋ค.
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'GET':
return render_template('login.html')
else:
userid = request.form.get('userid')
userpassword = request.form.get('userpassword')
res = query_db(f'select * from users where userid="{userid}" and userpassword="{userpassword}"')
if res:
userid = res[0]
if userid == 'admin':
return f'hello {userid} flag is {FLAG}'
return f'<script>alert("hello {userid}");history.go(-1);</script>'
return '<script>alert("wrong");history.go(-1);</script>'
์ฑ๊ณต
